Skip to main content
Question

Removing Local Admin Privilege using a Script

C
Forum|alt.badge.img+3
  • chong
  • New Contributor
  • 2 replies

Hello,

I been trying to remove local admin privilege for all users, but with an exception of two Local accounts. I was able to find a script from a previous post. For the most part it works, but one of the local admin account name has spaces in it. So when I run the script it takes in each word as a separate user. For example: if the admin account name is "The Admin" it would run as "The" as one account name and "Admin" as another account name. Not sure why the space is a delimiter. Any help would be appreciated!  

#!/bin/sh adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c -18) for user in $adminUsers do if [ "$user" != "root" ] && ( [ "$user" != "The Admin" ] || [ "$user" != "secondAdmin" ] ) then dseditgroup -o edit -d $user -t user admin if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi else echo "Admin user $user left alone" fi done

 

    4 replies

    T
    Forum|alt.badge.img+19
    • Tribruin
    • Honored Contributor
    • 582 replies
    • February 14, 2023

    Spaces are delimeters in a BASH array. You are creating the array adminUsers and then looping through it. if you were to echo $adminUsers you see something like:

    root user1 The Admin secondAdmin

    To BASH that is 5 different array elements. 

    The big question is how do have a username with a space in it? That should not be possible. Are you sure "The Admin" is a username and not a Real Name? 

    Also, your cut command in the 2nd line is incorrect. It should cut -c 18- . Otherwise you are getting the first 18 characters. 

    C
    1 person likes this
    • C
      chong
    C
    Forum|alt.badge.img+3
    • chong
    • Author
    • New Contributor
    • 2 replies
    • February 14, 2023
    Tribruin wrote:

    Spaces are delimeters in a BASH array. You are creating the array adminUsers and then looping through it. if you were to echo $adminUsers you see something like:

    root user1 The Admin secondAdmin

    To BASH that is 5 different array elements. 

    The big question is how do have a username with a space in it? That should not be possible. Are you sure "The Admin" is a username and not a Real Name? 

    Also, your cut command in the 2nd line is incorrect. It should cut -c 18- . Otherwise you are getting the first 18 characters. 


    Hello, Thanks for the response!
    After doing some digging, a previous person that used to work on Jamf, created this setting in PreStage enrollment where it created a local admin account with spaces in it. And I guess by creating it this way, the username was able to have space in it? 

    My worry was that other devices may have different usernames with spaces in it. So if I need to remove admin privilege from it, it wouldn't work. But from what it sounds like, there should be no other accounts with spaces in them, unless it was done by how I mention above.

    I thought the - after the 18 means it cut the characters after the 18th character? When I tried the script with the dash after the 18, and I did an echo of the results, it returned with nothing

    piotrr
    Forum|alt.badge.img+8
    • piotrr
    • Contributor
    • 132 replies
    • February 15, 2023

    Could you use the user ID instead? Not that I know if dseditgroup takes GIDs for operations. 

    C
    1 person likes this
    • C
      chong
    A
    Forum|alt.badge.img+16
    • AdamCraig
    • Valued Contributor
    • 182 replies
    • February 15, 2023

    Ignoring the space existing in a username issue the scripting part could be done this way

    # by replacing [ with [[ you're able to wildcard the comparison. # instead of seeing if the username = "The Admin" see if it = *"Admin"* if [[ "$user" != "root" ]] && [[ "$user" != *"Admin"* ]] && [[ "$user" != "secondAdmin" ]] ; then

     

    aparten11
    1 person likes this
    • aparten11
      aparten11

    Reply


    Most helpful members this week

    Terms & ConditionsCookie settingsAccessibility statement

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings